This topic describes how to create an instance RAM role, attach a policy to an instance RAM role, and attach an instance RAM role to an Elastic Compute Service (ECS) instance by calling API operations.
Prerequisites
- The ECS instance to which you want to attach an instance RAM role resides in a virtual private cloud (VPC).
- If you attached an instance RAM role to an ECS instance and want to access the APIs of other Alibaba Cloud services from applications that are deployed on the instance, you must obtain a temporary authorization token for the instance RAM role by using the instance metadata. For more information, see Obtain a temporary authorization token.
Procedure
- Step 1: Create an instance RAM role
- Step 2: Attach a policy to an instance RAM role
- Step 3: Attach an instance RAM role to an ECS instance
- Step 4: (Optional) Detach an instance RAM role from an ECS instance
- Step 5: (Optional) Obtain a temporary authorization token
- Step 6: (Optional) Grant a RAM user the permissions to use an instance RAM role
Step 1: Create an instance RAM role
Call the CreateRole operation to create an instance RAM role.
Set the RoleName parameter. In this example, the parameter is set to EcsRamRoleDocumentTesting.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Step 2: Attach a policy to an instance RAM role
- Call the CreatePolicy operation to create a policy. Take note of the following items:
- Set the PolicyName parameter. For example, set the parameter to EcsRamRoleDocumentTestingPolicy.
- Set the PolicyDocument parameter based on the following policy:
{ "Statement": [ { "Action": [ "oss:Get*", "oss:List*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
- Call the AttachPolicyToRole operation to attach the policy to an instance RAM role. Take note of the following items:
- Set the PolicyType parameter to Custom.
- Set the PolicyName parameter. For example, set the parameter to EcsRamRoleDocumentTestingPolicy.
- Set the RoleName parameter. For example, set the parameter to EcsRamRoleDocumentTesting.
Step 3: Attach an instance RAM role to an ECS instance
Call the AttachInstanceRamRole operation to attach an instance RAM role to an ECS instance.
- Set the RegionId and InstanceIds parameters to specify an ECS instance.
- Set the RamRoleName parameter. For example, set the parameter to EcsRamRoleDocumentTesting.
Step 4: (Optional) Detach an instance RAM role from an ECS instance
Call the DettachInstanceRamRole operation to detach an instance RAM role from an ECS instance.
- Set the RegionId and InstanceIds parameters to specify the ECS instance.
- Set the RamRoleName parameter. For example, set the parameter to EcsRamRoleDocumentTesting.
Step 5: (Optional) Obtain a temporary authorization token
You can obtain a temporary authorization token for the instance RAM role. The token is automatically updated on a regular basis. You can use the token to execute the permissions and use the resources of the instance RAM role. You can perform the following operations:
- For a Linux instance, run the
curl http://100.100.100.200/latest/meta-data/Ram/security-credentials/EcsRamRoleDocumentTesting
command. - For a Windows instance, see Overview of ECS instance metadata for information about how to query the temporary authorization token of the instance RAM role.
{
"AccessKeyId" : "XXXXXXXXX",
"AccessKeySecret" : "XXXXXXXXX",
"Expiration" : "2017-11-01T05:20:01Z",
"SecurityToken" : "XXXXXXXXX",
"LastUpdated" : "2017-10-31T23:20:01Z",
"Code" : "Success"
}
Step 6: (Optional) Grant a RAM user the permissions to use an instance RAM role
- Log on to the RAM console.
- Grant a RAM user the permissions to use the instance RAM role. For more information, see Grant permissions to the RAM user.
{ "Version": "2016-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: [ECS RAM Action]", "ecs: CreateInstance", "ecs: AttachInstanceRamRole", "ecs: DetachInstanceRAMRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "*" } ] }
[ECS RAM Action] specifies the permissions that can be granted to the RAM user. For more information, see Authentication rules